A proportionate response to hacking

Our legal attitudes to hacking and cyber-attack are in a mess, frankly. Often (and yes, America, I’m looking at you) they are wildly disproportionate to the damage done. And even when they’re not, the judiciary and the mainstream press seem unable to come to any settled opinion about what should be done about the hacker ‘menace’.

There is a clear, basic principle here with which I have no argument: if you break the law you must expect to suffer the consequences.

What if you break the law in a good cause? Revolutionaries and social activists would claim, with justification, that they break bad laws because they are unjust and should be overturned, and sometimes break good laws because the end – a better world – justifies the means.

However, most intelligent activists will tell you that, if caught, they expect to be punished. With dissent comes risk. Becoming a revolutionary is not, and should not, be a safe, risk-free choice. That road would lead to chaos. And it’s why we regard genuine revolutionaries and dedicated activists as courageous.

So, if you can’t do the time, don’t mount the DDoS attack (yes, I know that doesn’t rhyme).

I think this is something that is often overlooked by those who drape themselves in the Anonymous flag. It’s probable that, in many cases, the attitude of ‘the laws don’t apply to us’ is simple immaturity. (The frontal lobes of the brain where we calculate risk and potential outcomes of our actions don’t fully develop until we’re in our early 20s, which is why teenage drivers are so dangerous.) But also it’s easy to kid yourself that the kind of armchair activism perpetrated by some Anons is risk-free, especially if you’re clueless about how the attack tools you’re using actually work.

I also personally think that this principle is something not understood by Julian Assange, whose unwillingness to submit to due legal process entirely undermines his vision of himself as a campaigning hero.

But on the other hand…

The US has a vindictive penal system, with long sentences – often in third-world conditions – for crimes that would attract prison terms a fraction of the length in the UK, or simply a fine. The Gary McKinnon farrago was a case in point. When extradition was turned down, finally, the UK’s Crown Prosecution Service found itself unable to mount a case – even though McKinnon had offered a confession. And even if he had been convicted, the likely sentence in the UK would have been a fraction of that in the US.

Now, thankfully, the whole thing has been dropped, but he spent a decade of his life facing the very real and terrifying prospect of serving what, in UK terms, would have been considered a ‘life’ sentence – and for what? Strolling around a few incompetently protected US Government systems looking for aliens. This isn’t al Qaeda territory, for heaven’s sake.

Then there’s the sad case of Aaron Swartz. I’m still not clear that what Swartz did – writing a script to download copyrighted material via a legitimate account – was a crime. Certainly it was against JSTOR’s terms of use, but that’s a civil matter, surely. Now that he’s dead, we’ll never know because criminal guilt is only ever established by the courts – which makes him innocent. The prosecutor in the case has since claimed that she was pushing only for a short sentence in a low-security prison, although it seems probable that the state of mind that ended in Swartz’s suicide was at least in part the result of his contemplating a long time in gaol (a maximum of 35 years and a $1m fine). And for what? Copyright theft? How does that warrant a custodial sentence of any kind?

And the courts have never really understood hacking – how it works or what damage (if any) it wreaks.

During the recent trial of one of the Anonymous OpPayback crew, Christopher Weatherhead, PayPal told the court that the hackers’ actions had resulted in costs of £3.5m. Oh really?

We’ve been here before, many times. Companies always inflate these figures and they are rarely challenged. It happened when Assange, aka ‘Mendax’, was convicted back in 1995. Nortel said he had caused $100,000 worth of damage, but without needing to provide proof. Similar things happened with Kevin Mitnick.

Yes, forensic analysis and remediation cost money. But it’s usually left to the affected organisations themselves to decide how much. And they’re hardly unbiased parties.

In PayPal’s case, the figure apparently included the costs of installing new security systems to make its business safe, which inevitably leads us to question why such systems weren’t in place before. After all, infosecurity is part of the cost of doing business – just like locks on the door of your offices. PayPal handles our money and sensitive data, such as credit card information. It should have the best security that (our) money can buy.

This isn’t the same as saying that PayPal deserved to be hacked, or that hacking it somehow advances awareness of security – an argument often put forward by Anons. You no more have the right to hack a company with poor security than you have the right to take someone’s possessions just because they’ve left their door unlocked. A polite note would be enough.

But it does make me wonder if there wasn’t some degree of contributory negligence on PayPal’s part.

It’s complex, isn’t it? There seems to be no way of establishing a credible and fair assessment of what damage hackers do, although they clearly do some. And we’re often left with hysterical reactions by the media and even the courts, prompted more by ignorance than any rational view of what kind of danger hackers pose to society. In Mitnick’s case, a judge actually accepted the prosecution’s assertion that he could launch nuclear missiles just by having access to a phone. It would have been comical if it hadn’t led to Mitnick serving time under the most appalling conditions.

With such ignorance and dissembling it’s no wonder that sentences are all over the place, that we witness prosecutions that seem to have more to do with cowing people into accepting the might of corporates than making society in any way safer.

The answer, I suspect, lies in education – educating law enforcement, the courts, the media and the population at large as to what hacking and DDoS attacks and cybercrime actually mean. Swartz did not deserve to spend his last days fearing the kind of sentence handed out to rapists and murderers. At the same time, there are real criminals out there stealing millions of dollars via our computers.

We need a clearer view of what ‘cybercrime’ really is. We need a sense of proportion.